Troubleshoot like a pro with tcpdump

When it comes to troubleshooting, everyone talks about the power of the command tcpdump — after all, “the wire never lies.” But to really use it, you need to put in some time to understand the options. Let us save you some time and give you a quick overview of this powerful tool. You’ll be troubleshooting like a pro in no time!

What is tcpdump and why does it matter?

For those unfamiliar with this powerful command, tcpdump is a packet analyzer that prints out a description of packets being transmitted or received over a network. Each line of output represents a packet. Every line includes a time stamp printed as hours, minutes, seconds, and fractions of a second since midnight. It will also show you packets dropped, packets received by the filter (which can vary depending on your OS) and packets dropped by kernel. Essentially, tcpdump does exactly what its name implies — it “dumps” all the information you need about the content of packets in the CLI so you can analyze it for yourself.

So, why is this so important for troubleshooting? Think of it this way. When box isn’t acting right, seeing what you are getting told versus what you are telling others you’re connected to is often very helpful.

What traffic can I capture?

The Linux kernel manages network interfaces. A filter determines what packets from the Linux kernel get copied up to Linux userspace, which is where the tcpdump application runs. These filters are known as BPF (Berkeley Packet Filters).

On Cumulus VX (Virtual Experience), all datapath packets are processed by the Linux kernel. However, for performance optimization, Cumulus Linux on hardware switches utilizes specialized switching ASICs (Application Specific Integrated Circuits) for datapath packets. Only control-plane specific traffic (destined to the switch itself) is sent to the CPU on hardware switches. This is one major benefit of testing on Cumulus VX. See the diagram below which highlights the difference in capturing packets on Cumulus VX versus a physical switch.

What are my options?

What can’t you do with tcpdump is an easier question to answer. If we were to encapsulate all of the options and possibilities that tcpdump offers, this would start to look more like War and Peace than a blog post. Fortunately, the brilliant GSS engineers at Cumulus Networks have compiled a handy guide that has all of the tcpdump basic and advanced options in one place. Check it out and take your packet sniffing abilities to German Shepard levels!